Re: phpBB 2.0.8a and lower - IP spoofing vulnerability

From: 3APA3A (3APA3A_at_SECURITY.NNOV.RU)
Date: 04/20/04

Next message: David Wilson: "Re: ZA Security Hole"

Previous message: Sami POTIRCA: "Re: BitDefender Scan Online(ActiveX) - Remote File Download & Execute & Private Information Disclosure"
In reply to: Ready Response: "phpBB 2.0.8a and lower - IP spoofing vulnerability"
Next in thread: Xin LI: "Re: phpBB 2.0.8a and lower - IP spoofing vulnerability"
Reply: Xin LI: "Re: phpBB 2.0.8a and lower - IP spoofing vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 20 Apr 2004 16:15:48 +0400
To: Ready Response <wang@mod-x.co.uk>

Dear Ready Response,

--Monday, April 19, 2004, 4:01:29 AM, you wrote to bugtraq@securityfocus.com:

RR> the users IP address in the common.php script. This issue is caused
RR> by blind trust of the X-Forwarded-For HTTP header. A remote attacker

This issue is very common for different BBs (for example Iconboard has
same problem), in addition to IP spoofing it's usually possible to cause
crossite scripting by inserting script into forgery X-Forwarded-For
header.

-- 
~/ZARAZA
Но ведь кому угодно могут прийти в голову яйца, пятки и епископы. (Лем)

Next message: David Wilson: "Re: ZA Security Hole"

Previous message: Sami POTIRCA: "Re: BitDefender Scan Online(ActiveX) - Remote File Download & Execute & Private Information Disclosure"
In reply to: Ready Response: "phpBB 2.0.8a and lower - IP spoofing vulnerability"
Next in thread: Xin LI: "Re: phpBB 2.0.8a and lower - IP spoofing vulnerability"
Reply: Xin LI: "Re: phpBB 2.0.8a and lower - IP spoofing vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]